With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.

Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.

Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.

Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.

Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).

Via internet information is spread about a new malware, so called trojan, which affects at the visualization system WinCC SCADA. This malware is distributed via USB sticks. Just viewing the content of an USB stick could enable this trojan.

The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.Over the weekend of July 17-18, news broke on the “Computerworld” technology Web site about a virus attacking industrial automation giant Siemens’ WinCC and PCS7 industrial control human-machine interface/supervisory control and data acquisition (HMI/SCADA) systems. The virus exploited Microsoft Windows operating systems when Universal Serial Bus (USB) memory sticks are inserted in a host computer and automatically loaded.

"Siemens was notified about the virus that is affecting its Simatic WinCC SCADA (Supervisory Control and Data Acquisition) systems on July 14. The company immediately assembled a team of experts to evaluate the situation. Siemens is taking all precautions to alert its customers to the potential risks of this virus.

"Siemens is reaching out to its sales team and will also speak directly to its customers to explain the circumstances. We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments."

Well-known industrial cyber-security expert Eric Byres and his team conducted a weekend analysis, and Byres has issued a statement and is offering a White Paper analysis. Here is his analysis:

“Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

“As best as I can determine, the facts are as follows:• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.• There are no patches available from Microsoft at this time (There are work arounds which I will describe later).• This malware is in the wild and probably has been for the past month.• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products and hardware PLC S7-315 and S7-417.• The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.• Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.• The objective of the malware appears to be industrial espionage and sabotage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.• The malware is infected PLC S7-315 and S7-417 via modified S7 DLLs.

• The only known work arounds are:• NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not• Disable the displaying of icons for shortcuts (this involves editing the registry)• Disable the WebClient service

“My team has attempted to extract and summarize all the relevant data (as of late Saturday night) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks” which I have posted on my website in a secured area that can be accessed from http://www.tofinosecurity.com/professio ... cc-malware .

“If you would like to download the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already http://www.tofinosecurity.com web members do not need to reregister.”

SAN DIEGO – July 19, 2010 – ESET has issued a warning against a worm dubbed Win32/Stuxnet, which threatens users around the globe. Exploiting a vulnerability in Windows® Shell, this dangerous threat is detected by ESET as LNK/Autostart.A.It is used in targeted attacks to penetrate SCADA systems, especially in the United States and Iran. SCADA are supervisory and monitoring systems used in many industries, for instance in power engineering...The danger lies in the Windows® OS vulnerability connected with processing of LNK files.Experts expect even more malware families to begin to exploit this security gap in the near future.

Clear Registry LNK toolsHKEY_CLASSES_ROOT\lnkfile\shellex\IconHandle = [] (set empty)Delete any value that it is specified (parameter should be "empty"). Result: Windows will not run LNK tools and not show LNK shortcut image for drive.

Current information on malware in connection with Simatic SoftwareThe software/malware detects WinCC and Step 7 programs from Siemens and their data and can also contact and communicate with certain websites/servers...

If you look at these statistics, mapping the world, it becomes clear that the centers of the epidemic are the three countries - Iran, India and Indonesia (all three on the letter "I", funny).In each of these countries the number of recorded incidents over KSN 5000.Realtek is a hardware the company, and writing software for their devices - a by-process, for which the best of all - the use of outsourcers.And which country is the world leader in the outsourcing programming?Correct: India.Can outsourcer, creating software for the company, have the means to "sign" the certificate program this company? Probably yes.hus, one can assume that the malicious program was created precisely in India (see the map) and, perhaps, not without an insider among the developers of applications for Realtek.

Possible this indian insider also work for programming new Siemens WinCC/PCS7

Indeed, Stuxnet trying to connect to the visualization system WinCC SCADA, using "password default", which Siemens is laid in its program.

As part of the worm is a very interesting component, dll-file, which is a kind of "wrapper» (wrapper) around this, original DLL from Siemens.This "wrapper" and tries to interact with WinCC, directing most of the features in the original dll. Other functions he emulates yourself!

Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Important note on the Microsoft PatchThe Microsoft Patch only prevents that the trojan from being installed automatically on the system. If a user with admin-rights opens an infected LNK-file by mouse click on a computer on which the Microsoft Patch is installed, the computer will become infected - if no virus scanner has been installed.To avoid such an infection, it is strongly recommended that users only log in with power user rights. Power users do not have the necessary permissions to start code from another drive. For additional security use an approved virus scanner.

Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped...

Stuxnet infects PLCs with different code depending on the characteristics of the target system.An infection sequence consists of PLC blocks (code blocks and data blocks) that will be injected into the PLC to alter its behavior. The threat contains three infection sequences.Two of these sequences are very similar, and functionally equivalent. We dubbed these two sequences A and B. The third sequence was named sequence C. Stuxnet determines if the system is the intended target by fingerprinting it.

It checks:

* The PLC type/family: only CPUs 6ES7-417 and 6ES7-315-2 are infected * The System Data Blocks: the SDBs will be parsed, and depending on the values they contain, the infection process will start with method of infection A, B or none. When parsing the SDBs the code searches for the presence of 2 values (7050h and 9500h), and depending on the number of occurrences of each of these values sequence A or B is used to infect the PLC.

The code also searches for the bytes 2C CB 00 01 at offset 50h in the SDB blocks, which appear if the CP 342-5 communications processor (used for Profibus-DP) is present. If these bytes are not found then infection does not occur.

Infection conditions for sequence C are determined by other factors.

2. Method of infection

Stuxnet uses the code-prepending infection technique. When Stuxnet infects OB1 it performs the following sequence of actions:

1. Increases the size of the original block 2. Writes malicious code to the beginning of the block 3. Inserts the original OB1 code after the malicious code

As well as infecting OB1, Stuxnet also infects OB35 in a similar fashion. It also replaces the standard coprocessor DP_RECV code block with its own, thereby hooking network communications on the Profibus (a standard industrial network bus used for distributed I/O).

The overall process of infection for methods A/B is as follows:

* Check the PLC type; it must be an S7/315-2 * Check the SDB blocks and determine whether sequence A or B should be written * Find DP_RECV, copy it to FC1869, replace it with a malicious copy embedded in Stuxnet * Write the malicious blocks (in total, 20 blocks) of the sequence, embedded in Stuxnet * Infect OB1 so that the malicious code is executed at the start of a cycle * Infect OB35, which will act as a watchdog

Previous blog entries have covered several different Stuxnet propagation vectors, from autorun.inf tricks to zero-day vulnerabilities. Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.

Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking CreateFile-like APIs of specific DLLs within the s7tgtopx.exe process (the Simatic manager). Any project encountered by the threat in this way may be infected. Analysis additionally shows that projects inside Zip archives may also be infected through the same method.

The infection process consists of several distinct steps:

First, Stuxnet creates the following files:

* xutils\listen\xr000000.mdx: an encrypted copy of the main Stuxnet DLL * xutils\links\s7p00001.dbf: a copy of a Stuxnet data file (90 bytes in length) * xutils\listen\s7000001.mdx: an encoded, updated version of the Stuxnet configuration data block.....

When looking through our archive, we were able to find a sample from June 2009. Therefore the attackers had been active for at least a year. We would not be surprised if they started even prior to that.

Stuxnet malware was targeted at Siemens control systems and therefore will not directly impact Schneider Electric systems. However, as the cyber security landscape evolves, users should continuously reassess their security policies and protocols to mitigate against future attacks.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland («Vacon») and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module....Videohttp://www.youtube.com/watch?v=cf0jlzVC ... r_embedded

The PLC is infected.• Frequency converter slaves send records to their CP-342-5 master, building a frame of 31 records• The CPU records the CP-342-5 addresses.The frames are examined and the fields are recorded.• After approximately 13 days, enough events have been recorded, showing the system has been operating between 807 Hz and 1210 Hz.• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to 1410Hz.• Normal operation resumes.After approximately 27 days, enough events have been recorded.• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency initially to 2Hz and then 1064Hz.• Normal operation resumes.• After approximately 27 days, enough events have been recorded.• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to 1410Hz.• Normal operation resumes.• After approximately 27 days, enough events have been recorded.• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency initially to 2Hz and then 1064Hz.

Who's lying?http://www.symantec.com/connect/blogs/stuxnet-breakthroughIn the Symantec demo example = CPU S7-315 2DP (6ES7 315-2AF03-0AB0) + with Digital outputs modul, with simple program = main organization block OB1 with simple code (1 timer and 1 output).We see that the virus Stuxnet kills the simple control system immediately at startup!The virus can destroy any control system S7 !?It does not check the hardware configuration and program.It starts immediately at startup.And all that is written about the intelligence of the virus is a lie ?No one can believe

To LangnerNot only Russian experts create automation objects in Asian countries.For example, many Finnish companies operating in the region.

Distribution pattern and mass infection suggests that the virus is spread primarily on the domestic level - from hand to hand (from USB stick to USB stick) and not via the Internet.How much time is necessary, in order to infect the area alone?

Maybe easier to sell in the region, the party of cheap USB stick/photo memory cards with preinstalled virus?This may explain the infection in Indonesia - there is no reactor.

According to the theory of probability it can be entered on the target object.Therefore, one can not assert that the virus is spreading "stupid" Russian specialists from the ASE and "Power Machines".

Yes this is Stuxnet. Very dangerousKIS 2009 with last bases (17/11/2010) noting detect KIS2011 detect all.1. Test only on a single computer.2. Will not embed the infected memory card.3. USB flash drive becomes infected is not always. To check the USB stick/memory card can be viewed from DOS (Start from old CD) with Norton Commander (Show Hidden files)

Even the hard-coded Siemens database password had been previously exposed. In April 2008, someone using the name “Cyber” had posted it online to German and Russian technical forums devoted to Siemens products.

On October 14, 2011, we were alerted to a sample by a research lab with strong international connections that appeared very similar to the Stuxnet worm from June of 2010.The threat was written by the same authors, or those that have access to the Stuxnet source code, and appears to have been created after the last Stuxnet file we recovered. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

In last time Kaspersky says nasty message when you run Simatic EKB Install.I do not know what the "store password".Maybe it's a reaction:1- to reading the registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Siemens - this is done to determine the installed Siemens software and fill the window "Required/installed keys".2 - Using MS Crypt functions to decrypt crypted EKB keys.An example of running an older version of the program and its results, depending on the choice of the type of trust.

Hackers apparently based in Russia attacked a public water system in Illinois last week and damaged one of its pumps.The “Public Water District Cyber Intrusion” report gives details about the attack, saying it had resulted in the “burn out of a water pump” and had been traced to an Internet address in Russia.Federal officials said they were investigating the incident but played it down, implying that the report might be wrong.

Comparison of Antivirus Software for Detecting Various Types of Stuxnet

In This Article We Look at Security Products That Are the Main Tools of Disinfecting Malware. We Compare Them With Each Other for Detecting Various Types of Stuxnet Malware for Seven Infected PCS7 Projects. See the Results

I know the Stuxnet is old subject but I have some questions:1) How we can know the PC (programing PC not server) it's really infected by stuxnet??2)Can or can't stuxnet attack OP panels type TP177B ??3)For protection of stuxnet is enough have installed on PC antivirus program Microsoft Security Essentials??4) How we can clean infected CPU?? Is enough to delete online program from memory card ??5) Is possible to before start the plc and after download make control of all block and see if PLC is infected by stuxnet??Please can you explain to me this questions.Thanks in advance

ONLY http://plcforum.uz.ua PLACES ORIGINAL LINKS TO EKB INSTALLWITHOUT BACKDOOROur project is not commercialWe do not earn money on the linksRomanians are making money on relinking our (your) linksAnd now they distribute modified EKB install - beware of backdoors and viruses in their "re-issued" version

In government circles, for example, this would include an attack on an electricity grid or another hacking of the Bundestag - Germany's lower house of parliament. In this case, it would also be possible to remove the servers on which stolen parliament data is located.

On the 3rd and 08th of January 2018 Microsoft has released updates for the Windows operating systems to close the vulnerabilities, which are grouped under the name Meltdown and Specter.There are compatibility issues with these updates, see e.g. the notes in the Windows Server 2012 R2 Update (https://support.microsoft.com/en-us/help/4056895/windows-81-update-kb4056895).According to current knowledge, these compatibility problems also affect SIMATIC products. For this reason, we recommend that you do not install these security updates.